@ChrisGrout this should be possible using Defender for Cloud Apps and Purview.  If you assign a site or group label you can used "app enforced restrictions" which is part of SPO.  Set the label policy for sites and groups to allow web-only access, this will prevent the file from being opened in native clients or sync'd.

 

Use app-enforced restrictions - SharePoint in Microsoft 365 | Microsoft Learn

 

 

 

Then in combination use a session policy to block copy/paste.

 

Copy / print can be blocked on the endpoint itself using labels and groups, but the file itself would need to have the labeled applied.

 

Chris, combining app-enforced restrictions and session policies as Keith outlined provides a good data protection foundation. Additionally, I would leverage Sensitivity labels to enable more granular control over copy/paste, download, and access policies based on content types rather than blanket restrictions. Tailoring Sensitivity labels by content makes restrictions smarter - you can dictate that only financial or PII data face restrictions while allowing flexibility for other content. And labels provide helpful auditing trails. This layered model - app restrictions, session policies, and targeted Sensitivity labels - delivers preventative and detective controls for comprehensive data governance. It enforces protection consistently across apps and devices.

Nonetheless, I still advise having backup solutions for your Microsoft 365 data as a last line of defense. Even robust preventative measures can fail, making recovery capabilities critical. Let me know if you want recommendations on backup options.